<html>
<head><meta charset="utf-8"><title>Comparing crates.io and GH code? · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Comparing.20crates.2Eio.20and.20GH.20code.3F.html">Comparing crates.io and GH code?</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="174339940"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Comparing%20crates.io%20and%20GH%20code%3F/near/174339940" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Comparing.20crates.2Eio.20and.20GH.20code.3F.html#174339940">(Aug 28 2019 at 07:39)</a>:</h4>
<p>Is there an existing tool that can compare the source code uploaded on <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> with what is on GH? In some cases the author forgot to set a tag so such a tool would be useful to even find out which commit should carry the tag, and otherwise it still seems like something that we probably want to check for when a crate is hosted on GH.</p>



<a name="174379660"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Comparing%20crates.io%20and%20GH%20code%3F/near/174379660" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Comparing.20crates.2Eio.20and.20GH.20code.3F.html#174379660">(Aug 28 2019 at 16:33)</a>:</h4>
<p>This sounds like the sort of thing Ben Laurie wants binary transparency for (where source code is... a kind of binary <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span> )</p>



<a name="174424269"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Comparing%20crates.io%20and%20GH%20code%3F/near/174424269" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Comparing.20crates.2Eio.20and.20GH.20code.3F.html#174424269">(Aug 29 2019 at 05:05)</a>:</h4>
<p>It wouldn't work in general because the crate is allowed to contain things that aren't in GitHub. I do this in <em>ring</em> as I don't check in generated binaries into GitHub but they are in the crate to minimize build dependencies.</p>



<a name="174424391"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Comparing%20crates.io%20and%20GH%20code%3F/near/174424391" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Comparing.20crates.2Eio.20and.20GH.20code.3F.html#174424391">(Aug 29 2019 at 05:08)</a>:</h4>
<p>needs more reproducible builds. seems close, though, except for the libfaketime bugs</p>



<a name="174428583"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Comparing%20crates.io%20and%20GH%20code%3F/near/174428583" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Comparing.20crates.2Eio.20and.20GH.20code.3F.html#174428583">(Aug 29 2019 at 06:51)</a>:</h4>
<blockquote>
<p>It wouldn't work in general because the crate is allowed to contain things that aren't in GitHub. I do this in <em>ring</em> as I don't check in generated binaries into GitHub but they are in the crate to minimize build dependencies.</p>
</blockquote>
<p>interesting. yes, generated binaries sound like we need reproducible builds, but I assume those are built from C or so?</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>